Cyber crime in the UK – is it is bad as they say or worse?

April 2019 | EXPERT BRIEFING | RISK MANAGEMENT

financierworldwide.com

In November 2016, the government published the ‘National Cyber Security Strategy 2016-2021’ (NCSS). Philip Hammond, who was appointed Chancellor of the Exchequer on 13 July 2016, drafted the forward that said: “Cyber-attacks are growing more frequent, sophisticated and damaging when they succeed. So, we are taking decisive action to protect both our economy and the privacy of UK citizens.” But, is this just a scare tactic? How can we determine whether those statistics are suggestive of a problem that is a risk to the prosperity and security of the UK?

The Crown Prosecution Service (CPS) has said that cyber crime is an umbrella term to describe two closely linked, but distinct, ranges of criminal activity: (i) cyber dependant crimes (where cyber devices are both tools and targets) such as malware attacks; and (ii) cyber enabled crimes, where traditional crimes (i.e., fraud) can be furthered by use of cyber devices.

For the purposes of this analysis, the definitions in the Convention on Cybercrime will be adopted. As such, cyber crime is defined as: (i) offences against the confidentiality, integrity and availability of computer data and systems; (ii) computer-related offences; and (iii) content-related offences.

Although some of these forms of virtual criminality are new, a great deal of crime committed with or against computers differs only in terms of the medium. On the other hand, just as the offence of phone tapping could not have existed before the creation of the telephone, computer hacking could not have taken place before the rise of the internet. Although some offences pre-existed in terms of intent, the application of that intent has shifted.

In the year ending 2016, the total number of offences labelled as online crime was 0.8 percent of all offences recorded by the police in England and Wales. In the year ending June 2018, this figure had risen to 2 percent. This shows a sharp increase in the number of cyber crimes recorded.

However, out of the 31,148 offences labelled as online crime, 15,137 were for harassment and stalking. This figure rose to 50,680 in the year ending 2018 – three times the 2016 figure. Therefore, if we are to judge the offences recorded as indicative of the prevalence of cyber crime it would prove to be ‘bad’ as there has been a surge.

Other factors need to be taken into consideration when analysing these statistics. Although there has been a sharp increase in cyber crime, are these offences serious enough to warrant genuine concern to risk and prosperity?

Bear in mind that it was not until relatively recently that the survey included fraud and cyber crime in its estimates. Therefore, the surge is inevitable as previously the offences were not recorded.

Seventy-nine percent of recordable offences for the year ending June 2018 were comprised of harassment and stalking (15 percent), obscene publications (49 percent) and child sexual offences (15 percent). Therefore, eight in 10 offences involved electronic content being distributed either to online platforms, p2p sites, handheld devices and so on.

When considering the ‘obscene publications’ figures, it is difficult to determine how prevalent this offence is. Although it makes up 49 percent of offences, it is for a jury to decide what is obscene. Therefore, this figure is misleading because there have not been 11,796 such prosecutions this year.

The figures are based on offences ‘flagged’. It is the police determining what is ‘flagged’, and although protocols exist, this can be very deceptive as it requires all “forces to return quarterly information on the number of crimes flagged as being committed online (in full or in part)”. It also notes, “Work is still ongoing with forces to improve the quality of the data submitted in this collection”. In addition, a number of police forces were unable to provide data in the report. This suggests that the statistics are unreliable.

The rise of social media in the UK has surged in recent years. The UK has 44 million active social media users, according to Statista. Sixty-six percent of the population use websites like Twitter, Facebook and Instagram. As a result, significant quantities of content are being generated, including comments, articles, blogs, photographs and videos, and 38 million of the active users are accessing social media via their mobile devices. In a world where debate on political events is at a high, being able to offer your opinions to the world via electronic means and reach a large audience has never been easier. However, the bigger the audience, the more likely you are to receive complaints.

But there are different forms of abuse. Understandably, one of the most despised of all crimes is the possession and distribution of images of child sexual abuse. According to a study by the Internet Watch Foundation, 57,335 URLs were found to contain child sexual abuse imagery, and these were linked to 2416 domains worldwide. This is a 21 percent increase from 1991 in 2015. Although this figure is worldwide, the report details ways in which “criminals are increasingly using masking techniques to hide child sexual abuse images and videos on the internet and leaving clues to paedophiles so they can find it – hidden behind legal content”. Therefore, regardless of statistics, the sophisticated nature of attacks should be a concern as they can leave individuals and businesses vulnerable to attack and used as harbours for illegal content.

As we know, we should not place too much emphasis on crime statistics, as an increase in recorded crime does not necessarily mean the level of crime has increased.

For many types of crime, police recorded crime statistics do not provide a reliable measure of levels or trends in crime as they only cover crimes that come to the attention of the police.

It is clear that the most common crimes committed are the content-related offences, as detailed in the Law Commission’s ‘Abusive and Offensive Online Communications: A Scoping Report’, and the main legislation for these is section 127 of the Communications Act 2003 and section 1 of the Malicious Communications Act 1988.

The interpretations of the two pieces of legislation are very broad as they contain phrases such as “indecent and grossly offensive”. Section 127 takes it a step further, stating that it is an offence to send a message that is grossly offensive or of an indecent, obscene or “menacing character” over a public electronic communications network. Again this is very broad. The ongoing debate between freedom of expression and what is defined as offensive will continue to evolve. What was acceptable 10 years ago may not be acceptable in 2019.

Across the UK media, we have seen headlines claiming that there has been an increase in the number of hate crime offences recorded by the police over the last 12 months. However, when considering these figures, it is important to refer to the findings of the Law Commission when it released the Scoping Report on 1 November 2018.

One of the findings in the report noted “the evidence of a victim is usually not necessary to demonstrate that the offence has been committed”. Therefore, the work required to produce a prima facie case is easier as you do not need to get evidence from the victim. There is no need to trace, convince, proof and draft. The evidence of one witness may be sufficient.

When considering the recent comments made by the home secretary Sajid David, “Hate crime goes directly against the long-standing British values of unity, tolerance and mutual respect – and I am committed to stamping this sickening behaviour out”, it is not outlandish to think that there is a focus on clamping down on hate crime and that the statistics could be politically influenced. However, these are not the real threat of cyber crime, the main threats posed to the UK are much bigger.

The National Cyber Security Centre (NCSC), a part of the Government Communications Headquarters (GCHQ), became operational on 1 October 2016. “The NCSC acts as a bridge between industry and government, providing a unified source of advice, guidance and support on cyber security”, according to its website.

The creation of the NCSC demonstrates the importance placed on cyber security by the government. The NCSC has offered guidance to businesses due to the emergence of new threats. It has also provided advice noting that there are no mitigations that are completely effective against malware infection. The government is very aware of the real threat that cyber crime poses to the UK economy. “The number of attacks is rising each year, and it has been estimated that online fraud and cybercrime cost the UK over £11bn in 2016”, according to the Institute of Directors.

The real risk of cyber crime is not malicious communications, however, despite the statistics. It is the more sophisticated offences like hacking, as seen in the case of Maersk – an attack that brought the shipping industry to its knees. According to a transport survey from Norton Rose Fulbright, “87 percent of respondents from the shipping industry believed cyber attacks would increase over the next five years – a level that was higher than counterparts in the aviation, rail and logistics industries”. Considering that “90 percent of the world’s trade is transported by sea, with ships and ports acting as the arteries of the global economy”, according to Reuters, the threat of cyber crime is profound. By attacking particular industries, our national security can be affected. It is important to also note that the knock-on effects of an attack, such as fear, anxiety and financial loss, impact premiums for insurance. And it seems that no industry is fully protected.

In 2018, the Telegraph reported that “Cyber-attacks are one of the biggest threats that schools face”. The article included information regarding the growing phenomena of phishing – where people trick others into providing sensitive information. What we are seeing now is what we would term ‘whaling’, where a finance director or bursar is targeted and asked to transfer thousands of pounds. These requests are often accompanied by threats and blackmail. A person unaware of potential remedies can be forced to part with significant sums, and more worryingly, sensitive data.

The most concerning types of cyber crimes, however, are those that can affect us all. Recently, a Liberian telecommunications provider was hacked by a British man and, as a result of him creating and using a botnet, his actions disabled internet access across Liberia. This was an offence that warranted a mere two years and eight month custodial sentence. This is the real threat to the UK. It does not matter how many cyber crimes are committed, it only takes one to put all of our security at risk. That is why agencies like Mi5 have opened cyber departments and the UK has brought police, security industry experts and academics together as the new Cyber Crime Reduction Partnership – part of a new initiative to combat the increasingly organised nature of online criminality.

The head of the UK’s NCSC has warned that a major cyber attack on the UK will happen – it is just a matter of when. This raises the prospect of devastating disruption to the UK’s infrastructure.

Furthermore, caution must be exercised when assessing online crime statistics. For example, Office for National Statistics (ONS) figures include criminal damage to a dwelling and criminal damage to a vehicle – offences that should not have been included in statistics pertaining to online crime.

Finally, it has been suggested that although there was a 31 percent decrease in cyber crime over 2017, this is thought to be due to fewer computer viruses and better antivirus technology. Again, though, this highlights the low-level type of cyber crime being attempted. In truth, cyber crime is not just as ‘bad as they say it is’: it is worse. Technologies are forever evolving and cyber criminals are becoming even more sophisticated. The battle has only just begun.

Paris Theodorou is a solicitor and John Hartley is a partner at Hodge Jones & Allen. Mr Theodorou can be contacted on +44 (0)20 7874 8594 or by email: ptheodorou@hja.net. Mr Hartley can be contacted on +44 (0)020 7874 8489 or by email: jhartley@hja.net.